From 34012d409fc04a5b86c6f7413c238bc6410631d4 Mon Sep 17 00:00:00 2001 From: Wolfgang Müller Date: Sun, 16 May 2021 21:04:13 +0200 Subject: posts: Clarify that signatures can also be obtained via cgit Commit 751da2c (posts: Update posts to reflect usage of cgit's signature mechanism, 2021-05-06) updated the project pages as well as "Verifying snapshots with signify" with information regarding the new cgit signature mechanism, but neglected to mention that signatures can be obtained directly through git.oriole.systems as well (the project pages merely deeplink to that). Furthermore, with commit 28c2473 (posts: Add a new post: "Hosting signify signatures on cgit", 2021-05-16) we now have an explanatory piece which we can link if people are interested in the underlying infrastructure. --- posts/verify-with-signify.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/posts/verify-with-signify.md b/posts/verify-with-signify.md index d2061e2..85da646 100644 --- a/posts/verify-with-signify.md +++ b/posts/verify-with-signify.md @@ -4,7 +4,7 @@ author: Wynn Wolf Arbor I use the [signify](https://flak.tedunangst.com/post/signify) tool to cryptographically sign all software downloads you will find on this -site. +site and on [git.oriole.systems](https://git.oriole.systems). Whilst you technically don't need `signify` to verify the _integrity_ of downloaded files, I strongly recommend using it to also verify the @@ -20,8 +20,8 @@ browser or a tool like `curl` or `wget` to obtain the tarballs. ### Obtaining the signature and checksum Whether or not you decide to use `signify` to verify downloaded files, you need -to obtain the detached signature linked on the respective project page. It -contains the signature as well as the checksum. +to obtain the detached signature linked on the respective project page or git +repository[^1]. It contains the signature as well as the checksum. ### Obtaining the public key @@ -55,3 +55,5 @@ the `sha256sum` tool to only verify the integrity of the download: $ tail -n1 .asc | sha256sum -c : OK + +[^1]: If you are interested in how this is put together, check out [this](signify-cgit) post. -- cgit v1.2.3-2-gb3c3